SafeSign Identity Client Standard - UZI-register · i This document contains information of a...

SafeSign Identity Client Standard Product Description for Windows

i

This document contains information of a proprietary nature. No part of this manual may be reproduced or transmitted in any form or by any

means electronic, mechanical or otherwise, including photocopying and recording for any purpose other than the purchaser’s personal use

without written permission of A.E.T. Europe B.V. Individuals or organisations, which are authorised by A.E.T. Europe B.V. in writing to receive

this information, may utilise it for the sole purpose of evaluation and guidance.

All information herein is either public information or is the property of and owned solely by A.E.T. Europe B.V. who shall have and keep the sole

right to file patent applications or any other kind of intellectual property protection in connection with such information. This information is subject

to change as A.E.T. Europe B.V. reserves the right, without notice, to make changes to its products, as progress in engineering or

manufacturing methods or circumstances warrant.

Installation and use of A.E.T. Europe B.V. products are subject to your acceptance of the terms and conditions set out in the license Agreement

which accompanies each product. Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise,

under any intellectual and/ or industrial property rights of or concerning any of A.E.T. Europe B.V. information.

Cryptographic products are subject to export and import restrictions. You are required to obtain the appropriate government licenses prior to

shipping this Product.

The information contained in this document is provided "AS IS" without any warranty of any kind. Unless otherwise expressly agreed in writing,

A.E.T. Europe B.V. makes no warranty as to the value or accuracy of information contained herein. The document could include technical

inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, A.E.T. Europe B.V. reserves the

right to make any change or improvement in the specifications data, information, and the like described herein, at any time.

A.E.T. EUROPE B.V. HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH REGARD TO THE INFORMATION CONTAINED

HEREIN, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-

INFRINGEMENT. IN NO EVENT SHALL A.E.T. EUROPE B.V. BE LIABLE, WHETHER IN CONTRACT, TORT OR OTHERWISE, FOR ANY

INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING BUT NOT LIMITED TO

DAMAGES RESULTING FROM LOSS OF USE, DATA, PROFITS, REVENUES, OR CUSTOMERS, ARISING OUT OF OR IN CONNECTION

WITH THE USE OR PERFORMANCE OF INFORMATION CONTAINED IN THIS DOCUMENT.

SafeSign IC © 1997 – 2014 A.E.T. Europe B.V. All rights reserved.

SafeSign IC is a trademark of A.E.T. Europe B.V. All A.E.T. Europe B.V. product names are trademarks of A.E.T. Europe B.V. All other product

and company names are trademarks or registered trademarks of their respective owners.

Credit information: This product includes cryptographic software written by Eric A. Young ([email protected]). This product includes

software written by Tim J. Hudson ([email protected]).

Warning Notice

ii

Title: SafeSign Identity Client Standard

Product Description for Windows

Document ID: SafeSign-IC-Standard_3.0_Windows_Product_Description.docx

Project: SafeSign IC Release Documentation

Document revision history

Version Date Author Changes

1.0 05-05-2008 Drs. C.M. van Houten First edition for SafeSign IC Standard Version 3.0 for Windows (release 3.0.11)

1.1 25-06-2008 Drs. C.M. van Houten Edited for SafeSign IC Standard Version 3.0 for Windows (release 3.0.15)



1.4 08-04-2009 Drs. C.M. van Houten Updated for SafeSign IC Standard Version 3.0 for Windows (release 3.0.23)














WE RESERVE THE RIGHT TO CHANGE SPECIFICATIONS WITHOUT NOTICE

Document Information

iii

Table of Contents

1 Introduction ............................................................................................................................................................. 8

2 SafeSign Identity Client Functionality ..................................................................................................................... 9

3 Features ............................................................................................................................................................... 10

3.1 Multiple Token Support ............................................................................................................................... 10

3.1.1 Version 3.0.93 ......................................................................................................................................... 11

3.1.2 Version 3.0.97 ......................................................................................................................................... 11

3.2 Multiple language support ........................................................................................................................... 11

3.3 Multiple OS Support .................................................................................................................................... 11

3.3.1 Version 3.0.93 ......................................................................................................................................... 12

3.4 Support for Remote Desktop Connection ................................................................................................... 12

3.5 Support for Igel thin clients ......................................................................................................................... 12

3.6 Support for PIN timeout .............................................................................................................................. 13

3.7 Support for PC/SC 2.0 secure pinpad readers ........................................................................................... 13

3.8 Support for maximum PUK and PIN length ................................................................................................ 14

3.9 Support for virtual readers in PKCS #11 .................................................................................................... 14

3.10 SafeSign IC Credential Provider ................................................................................................................. 15

3.10.1 Features .............................................................................................................................................. 16

3.10.2 Limitations ........................................................................................................................................... 16

3.10.3 SafeSign IC Credential Provider configuration ................................................................................... 17

3.10.4 Changed “smart card sign-in experience”........................................................................................... 19

3.11 Support for SHA-2....................................................................................................................................... 19

3.12 Support for AES .......................................................................................................................................... 19

3.13 Certificate Propagation ............................................................................................................................... 19

3.14 Support for CNG Key Storage Provider ...................................................................................................... 20

3.15 Support for Event Logging .......................................................................................................................... 21

3.16 Support for new cards and applet functionality ........................................................................................... 22

3.16.1 Support for the RIC card ..................................................................................................................... 22

3.16.2 Support for PIN policy ......................................................................................................................... 22

3.16.3 Support for recycling the token ........................................................................................................... 23

3.16.4 Support for secure messaging ............................................................................................................ 23

3.17 Support for 3DES key storage on the card ................................................................................................. 23

4 End User Documentation ..................................................................................................................................... 24

Table of Contents iv

5 Supported and Tested PC Operating Systems .................................................................................................... 25

6 Supported languages ........................................................................................................................................... 26

7 Supported and Tested Smart Card Readers........................................................................................................ 27

8 Supported and Tested Hardware Tokens ............................................................................................................ 29

8.1 STARCOS Cards ........................................................................................................................................ 29

8.2 Java Cards .................................................................................................................................................. 30

8.2.1 Java Card 2.1.1 ....................................................................................................................................... 30

8.2.2 Java Card 2.2.x ....................................................................................................................................... 31

8.2.3 Java Card 3.0 .......................................................................................................................................... 32

8.3 Belgium Identity Card ................................................................................................................................. 33

8.4 IDpendant ................................................................................................................................................... 33

8.5 Multos ......................................................................................................................................................... 33

8.6 RSA ............................................................................................................................................................. 33

8.7 SECCOS ..................................................................................................................................................... 33

8.8 Siemens ...................................................................................................................................................... 33

8.9 Swiss Cards ................................................................................................................................................ 33

8.10 Supported ATRs ......................................................................................................................................... 34

9 Supported Applications ........................................................................................................................................ 40

9.1 Public Key Infrastructure ............................................................................................................................. 40

9.2 Client Applications ...................................................................................................................................... 41

v

List of Figures

Figure 1: SafeSign IC product packaging ..................................................................................................................... 8

Figure 2: Remote Desktop Connection: Enter credentials ......................................................................................... 12

Figure 3: Change Timeout .......................................................................................................................................... 13

Figure 4: Virtual Reader support in PKCS#11 ............................................................................................................ 15

Figure 5: SafeSign IC Credential Provider for Windows Vista and 7 ......................................................................... 15

Figure 6: SafeSign IC Credential Provider in Windows 8 and Server 2012 ............................................................... 16

Figure 7: Event viewer when PIN is locked ................................................................................................................ 21

vi

SafeSign Identity Client (IC) is a software package that can be used to enhance the security of applications that

support hardware tokens through PKCS #11 and Microsoft CryptoAPI.

The SafeSign IC package provides a standards-based PKCS #11 Library as well as a Cryptographic Service

Provider (CSP) and CNG Key Storage Provider (KSP) allowing users to store public and private data on a personal

token, either a smart card, USB token or SIM card. It also includes the SafeSign IC PKI applet, enabling end-users

to utilise any Java Card 2.1.1 / Java Card 2.2 and higher compliant card with the SafeSign IC middleware.

Combining full compliance with leading industry standards and protocols, with flexibility and usability, SafeSign IC

can be used with multiple smart cards / USB tokens, multiple Operating Systems and multiple smart card readers.

SafeSign IC allows users to initialise and use the token for encryption, authentication or digital signatures and

includes all functionality necessary to use hardware tokens in a variety of PKI environments.

SafeSign Identity Client comes in a standard version with an installer for the following Windows environments (with

the latest Service Packs)1:

Windows XP (Professional), Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server

2008 (R2) and Windows Server 2012 (R2)2.

In principle, SafeSign Identity Client supports any PC/SC (including PC/SC 2.01) compliant smart card reader.

However, to avoid power problems, smart card readers must be capable to provide at least a current of 60mA.

PC/SC driver software is available from the web site of the smart card reader manufacturer.

Note that SafeSign Identity Client supports virtualization type I (or native, bare-metal hypervisors), i.e. SafeSign

Identity Client installed on servers/desktops which run for example on VMware ESX or Citrix XenDesktop or

Oracle/Sun VM VirtualBox directly on bare-metal hypervisors. Virtualization Type II (or hosted hypervisors), such as

VMware Workstation, is not supported.

1 Windows NT 4.0 is supported up to SafeSign Identity Client 1.0.9.04, in line with Microsoft’s end-of-life policy. Windows 98 and Windows ME are supported up to

SafeSign Identity Client 2.3.0 (< 2.3.0), in line with Microsoft’s end-of-life policy. Windows 2000 is supported up to SafeSign Identity Client 3.0.33 (≤ 3.0.33), in line

with Microsoft’s end-of-life policy.

2 Windows Server 2012 runs only on x64 processors.

About the Product

vii

This product description is specifically designed for administrators / advanced users of SafeSign IC Standard

Version 3.0.97 / 3.097-x64 for Windows, who wish to use their SafeSign IC token to enhance the security of their

communications via the Internet and be able to perform advanced token operations. It defines the features of

SafeSign Identity Client Standard and the supported configurations that were tested by its developer A.E.T. Europe

B.V.

Please refer to the SafeSign IC Application User Guides or your application’s documentation to find out how to

generate a key pair and download a certificate onto your SafeSign IC token and how to use it to enhance the

security of your client application.

While reading this document, take into account the notes in black with and the larger ones in blue with

This document is part of the release documentation for SafeSign IC.

About the Document

8

SafeSign Identity Client is a software package to enhance the security of applications that support PKCS #11 and

Microsoft CryptoAPI (NG) by hardware tokens, i.e. smart cards, USB tokens or SIM cards.

The SafeSign Identity Client package provides the SafeSign Identity Client PKCS #11 Library and Cryptographic

Service Provider / Key Storage Provider, which allow the user to generate and store public and private data on a

personal token.

Figure 1: SafeSign IC product packaging

1 Introduction

9

SafeSign Identity Client includes all functionality necessary to use hardware tokens in a variety of Public Key

Infrastructures (PKIs). This includes:

Cryptographic Service Provider (CSP) for integration in applications supporting Microsoft CryptoAPI,

including Microsoft Internet Explorer and Outlook.

Key Storage Provider (KSP) for integration in applications and Operating Systems supporting

Cryptography API: Next Generation (CNG).

PKCS #11 for integration with applications supporting PKCS #11, including Mozilla Firefox.

PKCS #12 support.

PKCS #15 support.

PKCS #8 support (secure key wrap / unwrap).

Windows XP, Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, 2008 (R2) and 2012

(R2) logon support; Windows Server 2003, 2008 (R2) and 2012 (R2) Remote Desktop Services and

Citrix logon support.

PC/SC v2.01 support.

End user and administrator documentation. All documentation is in the English language.

Installation procedure for SafeSign Identity Client components (including PKCS #11, CSP, KSP, Token

Utilities).

SafeSign Identity Client GINA (Windows XP) and Credential Provider (Windows Vista and higher) to

facilitate logon with protected authentication path readers (such as secure pin pad Class 2 and 3

readers).

Token Utilities for such operations as: token initialisation, token visualisation, import of Digital IDs

(including certificate chains), change PIN/PUK and unlock PIN.

2 SafeSign Identity Client Functionality

10

The following features are supported by SafeSign Identity Client Standard Version 3.0 for Windows:

Multiple token support;

Multiple language support;

Multiple OS support;

Remote Desktop Connection;

Support for Igel thin clients;

Support for PIN timeout;

Support for PC/SC 2.0 secure pinpad readers;

Support for maximum PUK and PIN length;

Support for virtual readers in PKCS#11;

SafeSign IC Credential Provider;

Support for SHA-2;

Support for AES;

Support for Microsoft Certificate Propagation;

Support for Cryptography API: Next Generation (CNG) Key Storage Provider;

Support for Event Logging;

Support for new cards and applet functionality;

Support for 3DES key storage on the card.

3.1 Multiple Token Support

A token is a chip with an on-board operating system either integrated into a smart card with ISO7816 interface or

integrated into a device with USB interface (called “USB Token”).

SafeSign Identity Client Standard Version 3.0 for Windows supports a number of different tokens, listed in chapter

8: Supported and Tested Hardware Tokens.

3 Features

3 | Features 11

3.1.1 Version 3.0.93

In version 3.0.93 the following tokens are added:

Athena IDProtect Duo V3 ST23YR80

Device Fidelity credenSE v2.10J microSD card

Gemalto MultiApp ID v2.1

Gemalto UpTeq NFC SIM 2.0

Giesecke & Devrient SkySIM CX Scorpius

Identive SCT3522 USB Token (with NXP JCOP 2.4.1 R3)

Morpho JMV ProCL V3.0

NXP JCOP 2.4.2 R3 card

Oberthur IDOne Cosmo v7.0.1

3.1.2 Version 3.0.97

In the latest version 3.0.97 the following tokens are added:

Identive SCT3522DI Mifare Flex USB Token (with NXP JCOP 2.4.2 R2)

3.2 Multiple language support

SafeSign Identity Client Standard Version 3.0 for Windows supports a number of different languages, listed in

Chapter 6: Supported languages.

Note

Note that in SafeSign IC version 3.0.93, a number of languages have been updated and

improvements have been made in the Token Utility with regard to incomplete message strings.

3.3 Multiple OS Support

SafeSign Identity Client Version 3.0 supports a number of Windows Operating Systems, as listed in Chapter 5:

Supported and Tested PC Operating Systems.

Please note that the 32-bit version of SafeSign Identity Client is for 32-bit Operating Systems only.

Though it will install on 64-bit Operating Systems, it will not work with either 32-bit or 64-bit

applications. This is due to the fact that information about the tokens (ATR) and the associated

(SafeSign Identity Client) CSP is missing from the appropriate 64-bit branch of the registry,

causing certificates not to be registered by the Microsoft Certificate Propagation Service.

For use on 64-bit Operating Systems, a SafeSign Identity Client 64-bit version is available, that will

work with both 32-bit and 64-bit applications.

3 | Features 12

3.3.1 Version 3.0.93

In SafeSign Identity Client 3.0.93 support for the following Windows Operating Systems is added:

• Windows 8.13

• Windows Server 2012 R2.

3.4 Support for Remote Desktop Connection

SafeSign Identity Client supports Microsoft Remote Desktop Connection 6.0, 6.1, 7.0, 7.1, 8.0 and 8.1. First you will

need (or be allowed) to select the credentials on the smart card and enter the PIN in the Remote Desktop

Connection dialog:

Figure 2: Remote Desktop Connection: Enter credentials

3.5 Support for Igel thin clients

Support for IGEL Linux-based thin clients is activated by default in SafeSign Identity Client, for the supported Java

Card v2.2 (and higher) cards. This means that because the SafeSign Libraries are integrated into the Thin Client

firmware by default, you can use your token to allow access to the terminal and associated sessions.

This only applies to cards personalised with SafeSign 3.0.15 (or higher)4.

3 SafeSign IC (Token Utility) runs as a desktop application.

4 Because this is set during initialization (i.e. writing the PKCS#15 structure) of the token, with a token label, PUK and PIN.

Note

Note that Windows Server 2012 (R2) only runs on x64 processors, so you should install the 64-bit

version of SafeSign Identity Client version 3.0.93 (3.0.93-x64) on Windows Server 2012 (R2).

3 | Features 13

3.6 Support for PIN timeout

In SafeSign Identity Client, it is possible to set a PIN timeout, for both PKCS #11 and CSP applications, for Java

Card v2.2+ cards.

By default, the PIN timeout is disabled. When the PIN timeout is enabled, you will be asked to (re-)login to the

token, i.e. the SafeSign PIN dialog will be displayed. In practice, this means that for example when using Outlook to

send signed e-mail messages or using Adobe Reader to sign a document, you will be asked to enter your PIN

again when the maximum amount of time has passed since the last time you logged in to the token.

The timeout value for a particular token can be set in the Token Administration Utility , through the menu Token >

Change PIN Timeout, if the (initialised) token is inserted and the correct PIN is entered. By default, the PIN Timeout

is disabled. When enabled (by deselecting “Pin Timeout disabled”, as in the dialog below), you can set the timeout

value:

Figure 3: Change Timeout

The PIN Timeout cannot be set to 0 (zero) seconds, as this will expire the PIN immediately when it is entered and

the credentials on the token cannot be used. Therefore the minimum PIN Timeout value is set to 20 seconds.

There is a(n) (known) issue when setting the PIN Timeout, which is that its value is not displayed in the Token

Utility’s Show Token Info dialog. When it is not set, this dialog will display “disabled”. When it is set, nothing (no

value) will be displayed. This will be fixed in a next release.

Note

The PIN Timeout feature does not work with secure pin pad readers, i.e. it cannot be set and does

not work within applications.

3.7 Support for PC/SC 2.0 secure pinpad readers

From SafeSign Identity Client version 3.0.33 onwards (≥ 3.0.33), only secure pin pad readers supporting PC/SC 2.0

Part 10 are supported. This means that all (Class 2 and 3) secure pin pad readers previously supported are or may

not be supported anymore.

3 | Features 14

The PC/SC 2.0 readers supported in SafeSign Identity Client are:

Cherry SmartBoard XX44;

Cherry SmartTerminal ST-20000U (ST-20000UCZ / ST20000UC-R);

OMNIKEY 3821 USB pinpad;

Reiner SCT cyberJack pinpad;

Reiner SCT cyberJack e-com;

Reiner SCT cyberJack secoder;

SCM Microsystems SPR532 PINpad Reader5 .

Note that for the Cherry SmartTerminal ST-2000U and SCM Microsystems SPR532 PINpad Reader, you should

use the drivers downloadable from the Identive web site, rather than the version available on the Cherry website,

for these readers to function correctly.

3.8 Support for maximum PUK and PIN length

In SafeSign Identity Client a maximum PUK and PIN length is supported. The registry keys for the different profiles

supported contain the values for maximum PUK length and maximum PIN length, which can be edited. It is

possible to use different values for the maximum PIN length and maximum PUK length, for the Java Card v2.2+

cards supported.

3.9 Support for virtual readers in PKCS #11

In SafeSign Identity Client version 3.0.40 (≥ 3.0.40) a new concept is introduced in our PKCS #11 library, called

“Virtual Readers”.

In accordance with the PKCS #11 standard, the insertion and removal of smart card readers (devices) / slots is not

detected once the PKCS #11 Library is loaded6. In practice, this means that when a user has started a PKCS #11

application such as Firefox, adding (or removing) a reader or USB token will not be detected. If a user then tries to

use the token for authentication to a web site, this will fail. This has been solved by implementing virtual reader

slots. The PKCS #11 Library will now not only provide a list of (physical) readers attached to the system, but it will

also provide a list of virtual reader slots (which can be filled with additional readers when they become present on

the system). When a user then plugs in a new reader or USB token, the virtual reader will be replaced by the actual

reader plugged in.

5 When upgraded to the latest firmware and drivers.

6 The PKCS#11 specification states: “the set of slots accessible through a Cryptoki library is fixed at the time that C_Initialize is called. If an application calls

C_Initialize and C_GetSlotList, and then the user hooks up a new hardware device, that device cannot suddenly appear as a new slot if C_GetSlotList is called

again.”

3 | Features 15

This can be observed in e.g. Firefox, where a list of empty slots / virtual readers will be displayed, once the

SafeSign PKCS #11 Library is installed as a security module:

Figure 4: Virtual Reader support in PKCS#11

3.10 SafeSign IC Credential Provider

In Windows Vista and higher, the Microsoft GINA (msgina.dll) has been removed, and custom GINAs will not be

loaded on systems running Windows Vista and later versions. Instead, the Winlogon behaviour can be customized

by implementing and registering a custom Credential Provider.

Figure 5: SafeSign IC Credential Provider for Windows Vista and 7

3 | Features 16

In Windows 8 and Windows Server 2012, the SafeSign Credential Provider will look like this (when setting up a

Remote Desktop Connection):

Figure 6: SafeSign IC Credential Provider in Windows 8 and Server 2012

3.10.1 Features

The SafeSign IC Credential provider is a smart card credential provider, interacting with the SafeSign IC

components. The SafeSign IC Credential Provider will only display one tile for each token / user credential. When

the SafeSign IC Credential provider is installed, the Microsoft Credential Provider will be deregistered, to ensure

that users can benefit from all the features of the SafeSign IC Credential provider.

The SafeSign IC Credential provider includes the following features:

Support of secure pin pad readers;

Display tiles for workstation smart card logon;

Display tiles for remote smart card logon (through RDP);

Display tiles to allow the user to change the PIN of his token;

Display tiles to allow the user to unlock the token’s PIN through the PUK;

Display tiles to allow the user to unlock the token’s PIN through challenge-response;

Display tiles to allow the user to change the Transport PIN of a token;

Display smart card credentials on UAC elevation;

Display tiles for unlocking a workstation;

Display a meaningful message when the token is not initialized or does not contain a valid certificate.

3.10.2 Limitations

The current SafeSign IC Credential Provider does not support multiple certificates on one token. When you have

more than one (smartcard logon) certificate on a token, it is recommended not to install the SafeSign IC Credential

Provider, but to use the Microsoft Credential Provider instead. In view of the fact that the SafeSign IC Credential

Provider does not support multiple certificates on a token and that it is also installed on standalone machines (not

connected to a domain or where smart card logon is not used), the SafeSign IC Credential Provider will not be

installed by default in SafeSign Identity Client; the Microsoft Credential Provider will be used.

3 | Features 17

Also, the SafeSign IC Credential Provider will assign the first certificate (loaded) on the card as the certificate for

logon. When there are multiple certificates on the card (such as CA certificates and personal certificates), the first

certificate should be the smart card logon certificate, if the card is to be used for smart card logon. This means that

if the first certificate(s) loaded on the card is a CA certificate, this certificate will be selected during logon (making

logon impossible), the certificate will not be displayed and the message that no valid credentials for logon were

found is displayed.

Note

If the features of the Credential Provider are not required, it is recommended not to install the

Credential Provider on the Windows Server 2008 (R2) / Windows Server 2012 (R2). If you do install

it, you will be asked to authenticate twice: once on the local desktop, once on the remote desktop.

SafeSign IC Credential Provider does not support PLAP / Single Sign-On7. This means that when setting up a

(Microsoft) VPN connection, the SafeSign Credential Provider will not be available. Also, when setting up a remote

desktop connection to a Terminal Server and entering your credentials locally, you will be asked for your

credentials again upon connecting.

For those users who would like to use the features of the SafeSign IC Credential Provider (as listed in paragraph

3.10.1), for example because they are using a secure pin pad reader or want to offer their users the ability to

change their PIN during logon, the SafeSign Identity Client version that was used to install SafeSign Identity Client

can be run again to modify the existing installation, upon which the SafeSign IC Credential Provider can be

selected.

3.10.3 SafeSign IC Credential Provider configuration

3.10.3.1 Customisation PIN Unlock

If there is a Challenge / Response (C/R) key (generated) on the token, there are three methods available for

unblocking the token during login with the SafeSign IC Credential Provider:

Off-line PIN unlock (PUK);

On-line Challenge/Response;

On-line Witness/Challenge/Response.

7 Single Sign-On (SSO) API represents a set of methods used to obtain EAP method specific credentials for a network user or computer account in a secure fashion

without having to raise multiple UI instances.

3 | Features 18

For customisation of the available methods, the SafeSign IC Credential Provider registry key (i.e.

[HKEY_LOCAL_MACHINE\SOFTWARE\A.E.T. Europe B.V.\SafeSign\2.0\Credential Provider\] now includes a

new DWORD value called “UnblockingMethods”, allowing you to customise which unblocking methods are

displayed. The available methods are defined in the following way:

Witness C/R C / R PUK DWORD Value Remark

0 0 1 1 Only PUK

0 1 0 2 Only CR

0 1 1 3 Customer Requirement: CR and PUK

1 0 0 4 Only WCR

1 0 1 5 WCR and PUK

1 1 0 6 WCR and CR

1 1 1 7 All Methods available (=default)

In order to disable all unblocking methods, the value EnablePINUnlock should be disabled (from 1 to 0).

3.10.3.2 Windows 8

For Windows 8, Microsoft uses a new identifier for their Credential Provider, i.e.

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential

Providers\\{8FD7E19C-3BF7-489B-A72C-846AB3678C96}]

In Windows Vista and Windows 7, this value was:

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential

Providers\\{8bf9a910-a8ff-457f-999f-a5ca10b4a885}]

In SafeSign Identity Client version 3.0.80 and higher (≥ 3.0.80), rather than removing the Microsoft Credential

Provider when the SafeSign Credential Provider is installed, we disable it, by adding a new DWORD value, called

“Disable”. If this value is changed from 1 to 0, then the Microsoft Credential Provider will be enabled again. Note

however, that this will cause both Credential Providers to be available.

Note

In Windows 8, it seems that the Microsoft and SafeSign IC Credential Provider can co-exist, but in

in order to avoid confusion for the user (when two choices are proposed to perform the same

operation), it is recommended to use one or the other.

3 | Features 19

3.10.3.3 Smart Card Service

In SafeSign Identity Client version 3.0.80 and higher (≥ 3.0.80), the SafeSign IC Credential Provider has been

modified to check whether the Smart Card Service is running and wait for it. It was reported that on some systems,

the Smart Card Service comes up too late, causing the SafeSign IC Credential Provider not being able to use the

Smart Card subsystem, i.e. the SafeSign IC Credential Provider does not get any smart card inserted or smart card

removed events, leaving the system to wait (indefinitely) until a smart card is inserted.

3.10.4 Changed “smart card sign-in experience”

On Windows 8 and Windows Server 2012, changes were made to the “smart card sign-in experience”, as

described in http://technet.microsoft.com/en-us/library/hh849637.aspx: “For end users, the sign-in experience on

Windows Server 2012 and Windows 8 has improved detection of whether a smart card reader was installed and

whether a smart card or a password was used to sign in or unlock the computer the last time. If a smart card was

not installed previously, and the user selects the smart card sign-in icon, a message appears telling the user to

connect a smart card. After a card is connected, the smart card PIN dialog box appears. If the user does not want

to use the sign-in option that automatically appears (if their smart card is not readily available, for example), a

second message allows the user to select from different sign-in options.”

3.11 Support for SHA-2

In SafeSign Identity Client support for SHA-2 has been implemented, with the following variants: SHA-256, SHA-

348 and SHA-512.

Note

It is possible to use SHA-256 as hashing algorithm with a 1024 bits key pair, but it is not possible

to use SHA-484 and SHA-512 in that case. This is a limitation for security reasons.

3.12 Support for AES

In SafeSign Identity Client support for AES encryption / decryption has been implemented. SafeSign Identity Client

offers both a type 1 CSP (PROV_RSA_FULL) and a type 24 CSP (PROV_RSA_AES), supporting AES-128, AES-

192 and AES-256.

See also http://msdn.microsoft.com/en-us/library/aa387447(VS.85).aspx

3.13 Certificate Propagation

In SafeSign Identity Client versions up to 3.0.45 (< 3.0.45), certificate registration and de-registration was

performed by the SafeSign Store Provider (aetsprov.dll). However, as a result of changed functionality in Windows

Vista and higher, changes have been made to the way certificates are registered / propagated. Certificates are now

registered by the appropriate Microsoft services and processes, i.e. through the Microsoft Certificate Propagation

service8, starting with SafeSign Identity Client version 3.0.45.

8 In Windows XP, the Windows Smart Card Service takes care of certificate registration as part of winlogon.exe.

3 | Features 20

The Microsoft Certificate Propagation (Service) applies when a logged-in user inserts a smart card in a reader that

is attached to the computer. This action causes the certificate(s) to be read from the smart card. The certificates

are then added to the user’s Personal store. The service action is controlled by using Group Policy. For more

information on the Microsoft Certificate Propagation Service and the relevant policy settings, refer to

http://technet.microsoft.com/en-us/library/ff404288(WS.10).aspx.

For that reason, from SafeSign Identity Client version 3.0.45 onwards, the SafeSign Store Provider (aetsprov.dll)

has been removed, leaving it up to the Microsoft Certificate Propagation Service to register the certificates. The

SafeSign Store Provider did not only register certificates, but also deregistered them when the token was removed.

As the SafeSign Store Provider is removed / no longer available, the deregistration feature provided by the

SafeSign Store Provider in previous versions does not exist anymore. The Microsoft Certificate Propagation

Service does not deregister certificates upon token removal9, therefore when the token is removed, the certificates

will remain visible in the certificate store (though they will not be usable without key pair)10

.

There is no custom method implemented for deregistering certificates as there is no Microsoft approved way (or

APIs available) of doing so. Any method adding this functionality is considered proprietary and may cause

problems in the Operating Systems involved (which rely on the availability of certificates) and with obtaining support

from Microsoft.

3.14 Support for CNG Key Storage Provider

SafeSign Identity Client includes the SafeSign Key Storage Provider.

Starting from Windows Vista / Windows Server 2008, Microsoft introduced a new version of the Cryptographic API

(CryptoAPI), so called Cryptography API: Next Generation (CNG). Unlike CryptoAPI, CNG separates Cryptographic

Service Providers from Key Storage Providers (KSPs). Before, a Cryptographic Service Provider was required to

support non-smart card specific operations (such as padding and hashing), but with the CNG, the key provider only

needs to support operations related to keys and cannot be run without a smartcard.

It is up to the Operating System to decide when and which interface (CryptoAPI or CryptoAPI NG) to call.

For more information on Cryptography API: Next Generation, see:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa376210(v=vs.85).aspx.

9 Certificate deregistration does not exist in the Microsoft architecture, whether CSP (NG) or minidriver is used.

10 Thus it may happen that on secure web authentication with Internet Explorer, you are able to select the certificate, but you will not be asked for the PIN and get an

immediate error: “Internet Explorer cannot display the web page”.

3 | Features 21

3.15 Support for Event Logging

SafeSign Identity Client (≥ 3.0.70) supports the generation of Application Event logs, through the

AETEventProvider. When enabled in the registry11

, the following events will be logged:

PIN changes;

Wrong PIN entered;

PIN expired;

PIN blocked.

These events will be logged whether done during smart card logon, use of the Token Utility or within applications12

.

Here is an example of what the Event Viewer will look like when the PIN is locked:

Figure 7: Event viewer when PIN is locked

In SafeSign Identity Client version 3.0.93 and higher, the AETCSPEventProvider is included and enabled by

default13

. If an exception error occurs in the SafeSign CSP on Windows Vista or higher, two events will be

generated in the Application Event logger:

An (error) event about the exception caught by the CSP;

An (information) event about the generation dump file.

Contact AET SafeSign Support if you should see such events in your environment.

11

By changing the DWORD value “GenerateEventLogs” in [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\A.E.T. Europe B.V.\SafeSign\2.0\] on 64-bit and

[HKEY_LOCAL_MACHINE\SOFTWARE\A.E.T. Europe B.V.\SafeSign\2.0\] in 32-bit to a value of “1”.

12 In Internet Explorer on Windows Vista 32-bit, we have found that there are no events created when authenticating to a secure web site with a wrong PIN or when

the PIN is locked.

13 After installation, the following entry should be present:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\AETCSPEventProvider]

3 | Features 22

Note

Note that on Windows Vista and higher, this dump file is typically created in the C:\Users\Public\

folder, with the following name format:

”CSP_RunTime_Minidump_YYYY_MM_DD_HH_MM_SS.dmp”.

Note

For Windows XP and Windows Server 2003, a warning event about the generation of a dump file

will be generated in the Application Event logger as well. However, although the dump file will be

created, it does not contain any content.

Moreover, the dumpfile will be created in the root folder, as there is there is no C:\Users\Public

folder on these Operating Systems.

Should this be the case in your environment, please contact AET SafeSign Support for the

appropriate procedure to collect the minidump data.

3.16 Support for new cards and applet functionality

For certification purposes with the ICP-Brazil standard, some new functionality was implemented in SafeSign

Identity Client (applet), described briefly in the following sections from a functional point of view.

For convenience, the SafeSign Identity Client Token Utility will display the applet version in its Show Token Info

dialog. This functionality was implemented for various cards from different vendors. Should you be interested in this

functionality, please contact us.

3.16.1 Support for the RIC card

SafeSign Identity Client supports the Brazilian Identity Card, issued by the Registro de Identidade Civil (RIC).

Functionality for the RIC Card includes card wipe functionality, which will delete PKI objects only (and not

authentication objects and RIC data), if the correct PUK and PIN are entered.

3.16.2 Support for PIN policy

SafeSign Identity Client supports cards with a (pre-)defined PIN policy, where the end user may not just select any

PIN or PUK code for their token, but must adhere to certain complexity rules (so called PIN and PUK policies).

In SafeSign IC the following policy has been enabled14

:

PIN / PUK must have at least one (01) capitalized alphabetic character (A-Z);

PIN / PUK must have at least one (01) lowercase alphabetic character (a-z);

PIN / PUK must have at least one (01) numerical character (0-9);

Allow the use of special characters. Example: “$”, “@”, “&” etc.;

For this functionality to work, a special applet is required. Currently, an applet is available with support for PIN

policy and recycling (see the next section).

14

This policy is called the Diversification policy.

3 | Features 23

3.16.3 Support for recycling the token

In SafeSign Identity Client it is possible to ‘recycle’ the token, i.e. once the PIN and PUK are blocked due to too

many attempts (i.e. entering an incorrect PIN / PUK until the retry counter is exceeded), it is possible to reset the

token so that it returns to its original initialized state.

If the token is locked, there will be an option in the Token Utility’s Token menu, allowing you to set a new token

label, PUK and PIN. The number of recycle attempt depends on the amount set during applet installation (the

maximum number of recycle attempts that can be set is decimal 127 / hex 7F). The Token Utility’s Show Token Info

dialog will display the recycle count (used and maximum)15

.

For this functionality to work, a special applet is required, with special installation parameters.

3.16.4 Support for secure messaging

SafeSign Identity Client supports secure messaging, in accordance with the ICP Brazil standard, which requires

that data communication to the token from the computer is enciphered. For this purpose, the SafeSign IC applet

can be configured to use MACing and encryption. This is implemented for specific cards from different vendors.

In SafeSign Identity Client version 3.0.93 and higher, the status of secure messaging is included in the Token

Utility’s Token Information dialog and in a dump of the token (made by Dump Token Contents).

3.17 Support for 3DES key storage on the card

SafeSign Identity Client includes support for the storage of 3DES / symmetric keys on the cards. When loaded on

the token, the secret keys will be visible in the Token Utility, upon displaying the private objects on the card and

dumping the token contents16

.

This functionality requires a special applet.

15

The recycle counter is treated as an initialization counter: a card loaded with a recycle counter of 5 can be initialised 5 times, of which 4 are recycles. After that,

the recycle option is disabled. 16

Note that when dumping the contents of a token, only public information on the token objects will be displayed.

24

SafeSign Identity Client Standard Version 3.0 for Windows provides at least the following end user documentation:

Document name Document Version

SafeSign Identity Client Standard 3.0 Release Notes for Windows 1.18

SafeSign Identity Client Standard 3.0 Product Description 2.7

SafeSign Identity Client Standard User Guide for Installation 3.4

SafeSign Identity Client Standard User Guide for Token Utility 1.1

SafeSign Identity Client User Guide for Microsoft and Outlook XP 2.1

SafeSign Identity Client User Guide for Microsoft VPN in Windows XP 2.1

SafeSign Identity Client User Guide for Microsoft Windows 2003 2.1

SafeSign Identity Client User Guide for Microsoft Windows 2003 Terminal Services 2.1

SafeSign Identity Client User Guide for Citrix Presentation Server 4.5 1.0

SafeSign Identity Client Administrator’s Guide 3.2

SafeSign Identity Client User Guide for Authentication 2.1

Note that the (2.1) User Guides mentioned above were written for SafeSign IC versions 2.3.x.

4 End User Documentation

25

SafeSign Identity Client Standard Version 3.0 for Windows has been tested to support the following PC Operating

Systems:

SafeSign IC version: 3.0.33 3.0.40 3.0.70 3.0.77 3.0.80 3.0.87 3.0.88 3.0.93 3.0.97

Windows:

XP � � � � � � � � �

Vista � � � � � � � � �

7 � � � � � � � � �

7 SP1

� � � � � � �

8 Pro

� � � � �

8.1 � �

Server 2008 � � � � � � � � �

Server 2008 SP2

� � � � � � � �

Server 2008 R2

� � � � � � � �

Server 2008 R2 SP1

� � � � � � �

2012 Standard

� � � � �

2012 R2

� �

Note

Windows Server 2012 (R2) only runs on x64 processors, so you should install the 64-bit version of

SafeSign Identity Client version 3.0.93 (3.0.93-x64) on Windows Server 2012 (R2).

5 Supported and Tested PC Operating Systems

26

The following languages are supported in SafeSign Identity Client:

Catalan (CA);

Czech (CS);

German (DE);

English (EN);

Spanish (ES);

Basque (EU);

Finnish (FI);

French (FR);

Croatian (HR);

Hungarian (HU);

Italian (IT);

Swiss Italian (IT_CH);

Japanese (JA);

Korean (KO);

Lithuanian (LT);

Dutch (NL);

Portuguese (PT);

Brazilian (PT_BR);

Russian (RU);

Thai (TH);

Turkish (TR);

Ukrainian (UK);

Chinese (ZH);

Chinese Hong Kong (ZH_HK);

Chinese Taiwan (ZH_TW);

Serbian language, Cyrillic and Latin17

(SR);

Lithuanian language18

(LT).

17

SafeSign IC support both Serbian (Cyrillic) and Serbian (Latin). However, InstallShield (≤ 2010) does not support Serbian (Latin), therefore, during installation, it is

only possible to select Serbian (Cyrillic) as the language of the installation wizard.

18 SafeSign IC supports the Lithuanian language. However, InstallShield does not support Lithuanian, therefore, during installation, it is not possible to select

Lithuanian as the language of the installation wizard.

6 Supported languages

27

In principle, SafeSign Identity Client supports PC/SC v1.0 compliant smart card readers that supply a current of at

least 60mA.

We recommend that customers make a careful selection of the smart card reader to use, as there are many smart

card readers on the market, with such restrictions as ‘buggy’ PC/SC drivers (especially older smart card reader

models), not enough power supply for cryptographic cards (which require a minimum of 60mA) and faulty T=0 or

T=1 protocol implementation. These reader problems are beyond the control of smart cards and SafeSign Identity

Client.

The following table lists the specific readers that have been tested with SafeSign Identity Client version 3.0.97:

Smart Card Reader Manufacturer and Model Class

HID OMNIKEY 3121 USB Desktop Reader 1

HID OMNIKEY 3821 USB Desktop Pin Pad Reader 3

HID OMNIKEY 1021 USB Desktop Reader 1

Identive (SCM Microsystems) SCR3311 USB Smart Card Reader 1

Identive (SCM Microsystems) SPR 532 / CHIPDRIVE pinpad pro 2

The table below lists the smart card readers that have been tested at a given time with a SafeSign Identity Client

version 3.0.x release. This does not imply that these readers will (still) work or will be supported in any or all

versions of SafeSign Identity Client version 3.0.x. Though it is beyond the scope of AET / SafeSign Identity Client to

provide an all-inclusive list of smart card and reader combinations supported, AET Support can assist customers in

selecting the proper card – reader combination. If you have problems with your (listed) smart card reader, please

contact AET Support.

Smart card reader manufacturer and model

Interface

Class

ACS ACR38-IPC19

USB 1 ACS ACR38T USB 1 ACR38 USB Smart Card Reader/Writer

20 USB 1

Cherry SmartCard Keyboard G83-6744LUA (secure PIN entry, EMV 2000 level 1) USB 1 Cherry SmartCard Keyboard G83-6744LUZ (secure PIN entry, EMV 2000 level 1, certification Common Criteria EAL 3+)

USB 1

Cherry SmartTerminal ST-20000U USB 2 G&D Crypto USB Token USB 1 G&D StarKey100 USB 1 G&D StarKey300 USB 1

G&D StarKey400 USB 1 GemPlus GemPC430 USB 1 GemPlus GemPC Twin USB 1

19

ACS readers have been tested by their supplier / reseller or their partner.

20 The ACR38U has a maximum supply current of 50mA. This card reader has been tested by A.E.T. Europe B.V. The results were positive. Nevertheless, to avoid

power problems, we advise that smart card readers must be capable to provide at least a current of 60mA.

7 Supported and Tested Smart Card Readers

7 | Supported and Tested Smart Card Readers 28

HP USB Smart Card Keyboard21

USB 1 IDPendant IDp 100 USB 1 IDPendant IDp 200 USB 1 IDpendant IDp 1000 USB 1 Marx® CrypToken® MX2048-JCOP USB 1 O2Micro OZ776 USB CCID Smartcard Reader

22 USB 1

Omnikey CardMan Mobile PCMCIA 4000 PCMCIA 1 Omnikey CardMan Mobile PCMCIA 4040 PCMCIA 1 Omnikey CardMan Desktop USB 3121 USB 1 Omnikey CardMan Trust* 3620 (< SafeSign 3.0.33) USB 2 Omnikey CardMan Trust* 3621 USB 2 Omnikey 3821 USB pinpad (≥ SafeSign 3.0.33) USB 2 Omnikey CardMan RFID 5121 USB 1 Omnikey CardMan 6121 USB 1 ORGA CardMouse USB V1.1 USB 1 Perto PertoSmart USB 1 Reiner-SCT Cyberjack pinpad* (< SafeSign 3.0.33) RS232, USB 2 Reiner SCT cyberJack pinpad (≥ SafeSign 3.0.33) USB 2 Reiner SCT cyberJack e-com (≥ SafeSign 3.0.33) USB 3 Reiner SCT cyberJack secoder (≥ SafeSign 3.0.33) USB 3

Renesas SecureMMC Reader (JAE USB X Mobile Card Reader PC-RNS7) USB 1 SCM Microsystems SCR24123 PCMCIA 1 SCM Microsystems SCR131 RS232 1 SCM Microsystems SCR331 USB 1 SCM Microsystems SCR531 (dual connection) RS232, USB 1 SCM Microsystems SCR335 USB 1 SCM Microsystems SPR 532 PINpad Reader (≥ SafeSign 3.0.33) USB 2 Todos eCode Connectable 217U (≥ SafeSign 3.0.33) USB 3 XIRING Leo USB 3 XIRING MyLeo USB 3

*) Note: Supported in versions previous to SafeSign IC version 3.0.33, where the PC/SC 1.0 reader driver of the pin

pad readers above (either class 2 readers with additional PIN pad or class 3 readers with additional PIN pad and

own display) is extended by proprietary functions for PIN pad support.

21

Model tested: KUS0133

22 Tested on Dell D420 / D620 Latitude notebooks only.

23 All SCM readers have been tested by their supplier, SCM Microsystems.

29

SafeSign Identity Client Standard supports a number of hardware tokens, as listed below.

These tokens have been tested to work at a certain time as part of the release testing for SafeSign Identity Client

versions 3.0.x. The list does not imply that each token (still) works or will be supported in any or all versions of

SafeSign Identity Client version 3.0.x. If you have problems with your (listed) token, please contact AET Support.

8.1 STARCOS Cards

A token with STARCOS (SPK) operating system must be completed, before it can be used with SafeSign Identity

Client. This completion includes parts of the smart card operating system STARCOS, which are written into the

EEPROM of the smart card by G&D. Completed tokens do not contain any files, keys, certificates, PIN, PUK or

token label.

Completed tokens are completed with a ‘series’ (or ‘test’) completion indicated by an ‘S’ (respectively ‘T’) in the

STARCOS completion file name. Test completed tokens allow deletion of the SafeSign Identity Client application

and re-completion and should only be used for evaluation purposes. Export versions (‘E’ instead of ‘I’ in the

completion name) are not supported. For STARCOS SPK2.5 DI there is only one completion that allows secure

deletion of file system.

Token Type Tested Completion Versions

G&D STARCOS SPK 2.3 v7.0 Smart Card Test completion: CP5WxSPKI23-1-7-T_V0700 Series completion: CP5WxSPKI23-1-7-S_V0700

G&D STARCOS RawRSA SPK 2.3 v7.0

Smart Card Test completion: CP5WxSPKI23-1-D-T_V0700 Series completion: CP5WxSPKI23-1-D-S_V0700

G&D STARCOS SPK 2.4 v3.0 Smart Card Test completion: CP5WxSPKI24-01-0-T_V0300 Series completion: CP5WxSPKI24-01-0-S_V0300

G&D STARCOS FIPS SPK 2.4 v3.3 Smart Card Test completion: CP5WxSPKI24-01-3-T_V0330 Series completion: CP5WxSPKI24-01-3-S_V0330

G&D STARCOS SPK 2.5 DI v1.0 Smart Card Series completion: CP7G1SPKI25DI-1C-0-S_V0100

G&D StarKey100 / StarKey200 with G&D STARCOS SPK 2.3 or 2.4 chip

USB Token

Test completion: CP5WxSPKI23-1-7-T_V0700 Series completion: CP5WxSPKI23-1-7-S_V0700 Test completion: CP5WxSPKI24-01-0-T_V0300 Series completion: CP5WxSPKI24-01-0-S_V0300

G&D STARCOS 3.0 (Standard Version)

Smart Card Series completion: CPAZ0SCSI30-01A-0V300

G&D StarKey 350 USB Card Token with STARCOS 3.1.2

Smart Card -

G&D STARCOS 3.2 Smart Card -

G&D STARCOS 3.4 Smart Card -

8 Supported and Tested Hardware Tokens

8 | Supported and Tested Hardware Tokens 30

8.2 Java Cards

The SafeSign Identity Client PKI applet enables end users to utilise any Java Card 2.1.1 / 2.2+ compliant card with

the SafeSign Identity Client middleware. A Java Card token must contain an installed SafeSign Identity Client

applet before it can be used with SafeSign Identity Client.

In the special case that a blank token (that does not yet contain a SafeSign Identity Client applet) is used with

standard test keys for applet loading, the built-in applet loader of SafeSign Identity Client can be used to load and

install the SafeSign Identity Client applet24

. This universal Java Card applet loader included in SafeSign Identity

Client can load the SafeSign Identity Client PKI applet out-of-the-box onto a variety of Java Cards equipped with a

test key set (this includes most sample cards that can be purchased from Java Card vendors). For deployment /

production, you should use cards with a production key set that have the applet pre-installed.

As the correct functioning of SafeSign Identity Client is depending on a properly produced smart

card or USB Token, AET insists that smart cards and / or USB tokens being produced for use with

SafeSign Identity Client by vendors that are not approved AET production sites and not in

accordance with our QA policies (which require i.a. the applet to be pre-installed in a secure

environment and a custom keyset) are not eligible for any support by AET in case of problems,

even if the user has purchased a SafeSign Identity Client Maintenance and Support Agreement.

8.2.1 Java Card 2.1.1

There are three default profiles of SafeSign Identity Client applets available with different sizes for Java Card 2.1.1

tokens:

SafeSign IC Applet Max. number of RSA keys (PKCS#15)

Available private space in bytes (PKCS#15)

Available public space in bytes (PKCS#15)

Approx. Number of certificates that can be stored

Minimal 1 1 3328 1 Default 3 1 4454 6 Maximal * * * 12

The minimum and default (medium) applet is the same for all supported Java cards, whereas the maximal profile

differs per card (hence the *).

The minimum sized SafeSign Identity Client applet can only be used for Windows smart card logon or for SSL

client authentication and secure email.

Token Type Additional remarks Aspects OS755 v2.8 Smart Card Java Card v2.1.1 Atmel ATOP36 Smart Card Java Card v2.1.1 Axalto e-Gate Smart Card Java Card v2.1.1 Axalto Cyberflex Developer Smart Card Java Card v2.1.1 Axalto Cyberflex 64Kv1 Smart Card Java Card v2.1.1 Axalto Cyberflex 64Kv2 Smart Card Java Card v2.1.1 Axalto Cyberflex 64kv3 Smart Card Java Card v2.1.1 Axalto Cyberflex Palmera Smart Card Java Card v2.1.1

24

Note that the SafeSign Java PKI applet that is loaded in this case, is not the latest one, nor includes all functionality listed in this Product Description.


Token Type Additional remarks G&D Sm@rtCafé Expert v2.0 Smart Card Java Card v2.1.1 G&D STARSIM Java Smart Card Java Card v2.1.1 Gemalto GemXpresso 211PK Smart Card Java Card v2.1.1 Gemalto GemXpresso Pro R3 (16K, 32K and 64K)

Smart Card Java Card v2.1.1

Gemplus GemXplore 3G (Gem10.64 GX3GV22 128K-PK)


IBM JCOP 20 Smart Card Java Card v2.1.1 IBM JCOP 21id Smart Card Java Card v2.1.1 IBM JCOP 30 Smart Card Java Card v2.1.1 IBM JCOP 31bio Smart Card Java Card v2.1.1 ORGA JCOP 20 Smart Card Java Card v2.1.1 ORGA JCOP 30 Smart Card Java Card v2.1.1 ORGA JCOP21 Smart Card Java Card v2.1.1 Renesas X-Mobile Card SD Card Java Card v2.1.1 Sagem Orga J-ID Mark 64 Smart Card Java Card v2.1.1 Oberthur CosmopolIC v4 Smart Card Java Card v2.1.1 Sagem Orga ysID S2 Smart Card Java Card v2.1.2

8.2.2 Java Card 2.2.x

For the Java Card 2.2 (and higher) supported cards, the default profile is the only profile available, as the applet

supports dynamic use of memory.

Token Type Additional remarks

Aspects OS755 Java Card 2.2.1 Smart Card Java Card v2.2 Athena IDProtect Smart Card Java Card v2.2 Athena IDProtect Duo Smart Card Java Card v2.2 Athena IDProtect Duo V3 Smart Card Athena IDProtect v3 Smart Card Java Card v2.2.2 Athena IDProtect v6 Smart Card Java Card v2.2.2 Athena IDProtect Key v2 USB Token Java Card v2.2.2

G&D Sm@rtCafé Expert 64K Smart Card

Java Card v2.2.1 Config1 (FIPS with 2048 bit, level 3): CH463JC_INABFOP003901_V101 (FIPS) Config2 (FIPS with 1024 bit, level 3) Config3 (non-FIPS): CH463JC_INABFOP003901_V103 (non-FIPS) Config10 (FIPS with 2048 bit, level 2): CH463JC_INABFOP003901_V101 (FIPS)

G&D StarKey400 (M) with Sm@rtCafé Expert 64K

USB Token

Java Card v2.2.1 Config1 (FIPS with 2048 bit, level 3): CH463JC_INABFOP003901_V101 (FIPS) Config2 (FIPS with 1024 bit, level 3) Config3 (non-FIPS): CH463JC_INABFOP003901_V103 (non-FIPS)

G&D Sm@rtCafé Expert v3.0 Smart Card Java Card v2.2.1


G&D Sm@rtCafé Expert 3.2 Smart Card Java Card v2.2.1


G&D Sm@rtCafé Expert v5.0 Smart Card Java Card v2.2.2 G&D Convego Join 4.01 40k/80k Smart Card Java Card v2.2.1



Mobile Security Card SE 1.0 MicroSD card

Java Card v2.2.2

Gemalto GemXpresso Pro R4 72PK / TOP IM GX4


Gemalto MultiApp ID v2.1 Smart Card Java Card v2.2.1 Gemalto Optelio D72 FR1 Smart Card Java Card v2.2.2 Gemalto USB eSeal Token V2 TOP IM GX4 USB Token Java Card v2.2.1 Gemalto TOP DL v2 Smart Card Java Card v2.2.1 Gemalto Desineo ICP D72 FXR1 Java Smart Card Java Card v2.2.2 Gemalto IDCore Smart Card Java Card v2.2.2 Gemalto UpTeQ NFC SIM 2.0 SIM Java Card v2.2.1 Identive SCT3522 USB Token Smart Card Java Card v2.2.2 Identive SCT3522DI Mifare Flex USB Token Smart Card Java Card v2.2.2 IDpendant IDp 200 USB Token Java Card v2.2.1 IDpendant IDp 1000 USB Token Java Card v2.2.1 IBM JCOP 21 v2.2.1 Smart Card Java Card v2.2.1 IBM JCOP31 v2.2.1 Smart Card Java Card v2.2.1 IBM JCOP 41 v2.2.1 Smart Card Java Card v2.2.1 KEBT KONA10 v1.6, KONA11 v1.0, KONA12 v1.1, KONA20 v1.4, KONA27 v1.1

Smart Card Java Card v2.225

KEBT KONA 21T Smart Card Java Card v2.2 Marx CrypToken MX2048-JCOP USB Token Java Card v2.2.1 Morpho JMV ProCL V3.0 Smart Card NXP JCOP21 v2.3.1 Smart Card Java Card v2.2.1 NXP JCOP31 v2.3.1 Smart Card Java Card v2.2.1 NXP JCOP41 v2.3.1 Smart Card Java Card v2.2.1 NXP JCOP21 v2.4.1 / J2A080 Smart Card Java Card v2.2.2 NXP JCOP31 v2.4.1 / J3A080 Smart Card Java Card v2.2.2 NXP JCOP21 v2.4.1 / J2A081 Smart Card Java Card v2.2.2 NXP JCOP31 v2.4.1 / J3A081 Smart Card Java Card v2.2.2 NXP JCOP v2.4.1 R2 / J2D081 Smart Card Java Card v2.2.2

Oberthur IDone Cosmo64 v5.2 Smart Card Java Card v2.2.1

Oberthur ID-One Cosmo 32 RSA v3.6 Smart Card Java Card v2.2.1

Oberthur ID-One Cosmo 64 RSA D/T v5.4 Smart Card Java Card v2.2.1

Oberthur ID-One Cosmo v7.0 Smart Card Java Card v2.2.1

Oberthur ID-One Cosmo v7.01 Smart Card Java Card v2.2.2

Sagem Orga J-ID Mark 64 Dual Smart Card Java Card v2.2.1 Sagem Orga ysID S326 Smart Card Java Card v2.2.2 Sagem Orga ysID Key E-M USB Token Sagem Orga ysID Key E2C27 USB Token

8.2.3 Java Card 3.0


DeviceFidelity credenSE v2.10J MicroSD Card

Java Card v3.01 Classic

G&D Sm@rtCafé Expert v6.0 Smart Card Java Card v3.0.1 Classic G&D SkySIM CX Scorpius SIM Java Card v3.0.1 Classic NXP JCOP v2.4.2 R3 Smart Card Java Card v3.0.1

25

Implemented with support for key generation of 1024 bits only.

26 Only supported with the SafeSign PKI applet pre-installed.

27 Only supported with the SafeSign PKI applet pre-installed.


8.3 Belgium Identity Card


Belgium eID card Smart Card Only for authentication

8.4 IDpendant


IDp 100 Smart Card None

8.5 Multos


KeyCorp Multos v4.2 48K card Smart Card None KeyCorp Multos v4.2 64K card Smart Card None

8.6 RSA


RSA SecurID Token USB token Read-only implementation RSA Smart Card 5200 Smart Card Read-only implementation

8.7 SECCOS28


SECCOS 5.0 Smart Card None SECCOS 6.2 Smart Card None

8.8 Siemens


CardOS 4.3B 32 / 64K Smart Card None CardOS 4.4 Smart Card None

8.9 Swiss Cards


Quovadis SuisseID Smart Card CardOS 4.3B SwissSign SuisseID Smart Card CardOS 4.3B FMH / Swisscom Swiss Health Professional Card

Smart Card CardOS 4.3B

Swisspost Schweizerische Krankenversicherungskarte KVG

Smart Card STARCOS 3.4

Sasis PDC / Krankenversicherungskarte KVG Smart Card MTCOS

28

Note that the ATR of SECCOS cards depends on specific card capabilities and may be project-related. Therefore, the Token Utility may report an Unknown ATR.

ATRs can be added to the Windows registry manually or by using an appropriate tool.


8.10 Supported ATRs

Below is a full list of the cards whose ATR is supported in SafeSign Identity Client version 3.0.97, as recorded in

the registry, below [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards] and

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards]:

AET SoftToken

Aspects OS755

Aspects OS755 JC 2.2.1

Athena IDProtect

Athena IDProtect Duo v3 (2)

Athena IDProtect Key v2

Athena IDProtect v3

Atmel ATOP36

Atmel ATOP36 (T=0/TA1=18)



Axalto Cyberflex 32K

Axalto Cyberflex 64K

Axalto Cyberflex 64K v2

Axalto Cyberflex 64K V2c

Axalto Cyberflex 64k v3

Axalto Cyberflex 64K v3 - ICitizen Open v2

Axalto Cyberflex Palmera

Axalto e-Gate 32K

Axalto Palmera Protect V5 T=0 MChip

Axalto Palmera Protect V5 T=0 VISA

Belgium eID A

Belgium eID B

CardOS43B

CardOS43B (SwissSign SuisseID)

CardOS44

Changingtec JCOP

Changingtec JCOP (T=CL)

Changingtec JCOP T

Defensiepas

Defensiepas 2

Device Fidelity credenSE v2.10J

Foongtone JCOP31

Foongtone JCOP31 (T=CL)

Foongtone JCOP31 72K

G&D Convego Join 4.01

G&D Sm@rtCafe 3.0 (T=1/TA1=18)

G&D Sm@rtCafe 3.0 (T=CL)

G&D Sm@rtCafe Expert 64 (XMC2)

G&D Sm@rtCafe Expert 64K (conf. 1 - cold - StarKey400)

G&D Sm@rtCafe Expert 64K (conf. 1 - cold)

G&D Sm@rtCafe Expert 64K (conf. 1 - div. 31 T=1 only)


G&D Sm@rtCafe Expert 64K (conf. 1 - warm)


















G&D Sm@rtcafe Expert v2.0 (16K)

G&D Smartcafe v2.0 (32K) (compl. 20041230)

G&D Smartcafe v2.0 (32K) (compl. 20041230, cold)

G&D Smartcafe v2.0 (32K) T=0 cf 372

G&D Smartcafe v2.0 (32K) T=0/1 cf 93

G&D Smartcafe v2.0 (32K) T=1 (1)

G&D Smartcafe v2.0 (32K) T=1 (2)

G&D Smartcafe v2.0 (32K) T=1 cf 372

G&D SPK 2.3 T=0/1

G&D SPK 2.3 T=0/1 9600

G&D SPK 2.3 T=1

G&D SPK 2.4 T=1

G&D SPK 2.4 v3 T=0/1

G&D SPK 2.5 DI T=0/1

G&D STARCOS 3.0 Multi-factor T=0/1

G&D STARCOS 3.0 Multi-factor T=0/1 (legacy)

G&D STARCOS 3.0 Multi-factor v1.1 T=0/1

G&D STARCOS 3.0 new T=0/1

G&D STARCOS 3.0 T=0/1

G&D STARCOS 3.0 T=0/1 0V300

G&D STARCOS 3.0 T=0/1 2005-03-18

G&D STARCOS 3.0 T=0/1 2005-06-24

G&D STARCOS 3.1.2 Standard USB

G&D STARCOS 3.4a

G&D STARCOS 3.4b

G&D STARCOS 3.4c

G&D STARSIM Java

G&D UniverSIM JAVA Andromeda PRO

Gem10.64 GX3GV22 128K-PK


Gemalto Desineo ICP D72 FXR1 Java

Gemalto IDCore 30

Gemalto MultiApp ID v2.1

Gemalto TOP DL v2

Gemalto TOP DL v2 - SCP02

Gemalto TOP IM GX4

Gemalto TOP IM GX4 MSA081

Gemalto TOP IM GX4-2

Gemalto UpTeq NFC SIM 2.0

Gemalto USB eSeal Token V2 TOP IM GX4

GemPlus GemXpresso 211PK

GemPlus GemXpresso Pro R3

GemPlus GemXpresso Pro R3 16K-32K

GemPlus GemXpresso Pro R3 32K

GemPlus GemXpresso Pro R3.2 E32PK

GemPlus GemXpresso Pro R3.3

Giesecke & Devrient SkySIM CX Scorpius

Giesecke & Devrient Sm@rtCafe 3.2

Giesecke & Devrient Sm@rtCafe 3.2 (Mobile Security Card)

Giesecke & Devrient Sm@rtCafe 3.2 (T=CL)



Giesecke & Devrient Sm@rtCafe 5.0 (MSC SE 1.0)

Giesecke & Devrient Sm@rtCafe 6.0 (USB Token)

Giesecke & Devrient Sm@rtCafe 6.0 FIPS

Giesecke & Devrient Sm@rtCafe 6.0 Fips 144k

Giesecke & Devrient Sm@rtCafe 6.0 non-FIPS

Giesecke & Devrient Sm@rtCafe 6.0 non-FIPS 144k

Giesecke & Devrient Sm@rtCafe 6.0 non-FIPS U

Giesecke & Devrient Sm@rtCafe Expert

Giesecke & Devrient Sm@rtCafe Expert 3.2

Giesecke & Devrient Sm@rtCafe Expert 3.2 FIPS

Giesecke & Devrient Sm@rtCafe Expert 3.2 StarKey 550

Giesecke & Devrient StarCos 3.0

Giesecke & Devrient StarCos 3.2

Giesecke and Devrient Sm@rtCafe Expert 3.2

HID Crescendo C700

HID Crescendo C700 (95)

HID Crescendo C701

IBM JCOP20

IBM JCOP20 (Foongtone)

IBM JCOP20 (Sm@rtCafe Lite)

IBM JCOP20 (TA1=18)

IBM JCOP21 v 2.2

IBM JCOP21 v2.2

IBM JCOP21 v2.2 (36K)

IBM JCOP21 v2.2 (Winter AG)


IBM JCOP21id

IBM JCOP21id (TA1=18)

IBM JCOP30


IBM JCOP30 (T=CL)

IBM JCOP31 v2.2

IBM JCOP31 v2.2 (T=CL)

IBM JCOP31 v2.2 (T=CL) (Winter AG)

IBM JCOP31 v2.2 (Winter AG)

IBM JCOP31bio

IBM JCOP41


IBM JCOP41 (T=CL)

IBM JCOP41 (T=CL) (IBM)

IBM JCOP41 (T=CL) (Weneo ACS)

IBM JCOP41 (T=CL) (Weneo SCM)

IBM JCOP41 (T=CL) (Weneo)

IBM JCOP41 (TA1=18)

IBM JCOP41 (USB)

IBM JCOP41 (Weneo T0--)

IBM JCOP41 (Weneo T0T1)

IBM JCOP41 (Weneo --T1)

IBM JCOP41 2.2.1

IBM JCOP41 v2.2.1

IBM JCOP41 v2.2.1 USB (Winter AG)

Identity Device (Microsoft Generic Profile)

Identity Device (NIST SP 800-73 [PIV])

Identive SCT3522DI

IDp 200

IntelCav PKI EMV 40K

IntelCav PKI EMV 80K

IntelCav PKI EMV DUAL 40K

IntelCav PKI EMV DUAL 80K

IntelCav PKI EMV DUAL 80K (T=0)

IntelCav PKI Standard 40K

IntelCav PKI Standard 80K NXP JCOP21

IntelCav PKI Standard 80K ST IDProtect Duo v3

IntelCav PKI Standard 80K ST IDProtect Duo v3 (ITCV)

IntelCav PKI Standard DUAL 40K

IntelCav PKI Standard DUAL 80K

JCOP21 v2.3.1 (Winter AG)


JCOP41 v2.3.1 (IBM)

JCOP41 v2.3.1 (T=CL_CM)


KEBT KONA

KeyCorp Multos v4.2 developer 48K


KeyCorp Multos v4.2 developer 64K (appl. lim. 31.5K)

MARX CrypToken 2000

Morpho JMV ProCL V3.0

NXP J2A080 (Winter AG GTN)

NXP J2A080-J3A080 (TA1=96)

NXP J2A080-J3A080 (Winter AG)

NXP J2D081

NXP J3A080

NXP J3A081 (T=CL)

NXP J3A081 (T=CL) (Exceet AG)

NXP JCOP 2.4.2 R3 (Austriacard)

NXP JCOP 2.4.2 R3 (exceet Card AG)

Oberthur - IDone Cosmo64 v5.2

Oberthur Cosmo v3.6 (OCS)

Oberthur CosmopolIC 32Kb v3.6

Oberthur CosmopolIC 32Kb v3.6 (OCS)

Oberthur CosmopolIC Dual 64Kb v5.4

Oberthur CosmopolIC v4

Oberthur IDone Cosmo v7.0

Oberthur IDone Cosmo v7.0 CC

Oberthur IDone Cosmo v7.0.1

Oberthur IDone Cosmo v7.0.1-n Standard Dual

Oberthur IDone Cosmo v7.0-a Basic

Oberthur IDone Cosmo v7.0-a Large D

Oberthur IDone Cosmo v7.0-a Standard

Oberthur IDone Cosmo v7.0-a Standard D

Oberthur IDone Cosmo v7.0-n Basic D

Oberthur IDone Cosmo v7.0-n Large

Oberthur IDone Cosmo v7.0-n Large D

Oberthur IDone Cosmo v7.0-n Standard

Oberthur IDone Cosmo v7.0-n Standard D

Oberthur IDone Cosmo64 v5.2

Oberthur IDone Cosmo64 v5.2 (T=CL)

Oberthur IDone Cosmo64 v5.4

Oberthur IDone Cosmo64D v5.2

ORGA JCOP20

ORGA JCOP21 v2.2

ORGA JCOP30

RIC card

Rijkspas

RSA Token

Sagem orga J-ID 64k

Sagem Orga J-ID Mark64

Sagem YpsID Key E-M

Sagem YpsID s2

Sagem YpsID s3

Sasis PDC


SECCOS

SECCOS_T=CL

SECCOS_TA1

STARCOS 3.2 SSCD

UZI-pas

UZI-pas 2

Vasco DP Key 101 V073

Vasco DP Key 101 V081D


Vasco DP Key 200 V081D


Vasco Smart card V073

Vasco Smart card V081D

WatchData

YpsID S3 IDeal

YpsID S3 IDeal Bio

40

SafeSign Identity Client supports an ever-increasing list of applications.

SafeSign Identity Client Standard Version 3.0 for Windows has been tested in accordance with AET’s Quality

Assurance procedures and the SafeSign Identity Client Standard Version 3.0 for Windows test plan. This includes

testing of a number of defined and representative applications to verify a correct functioning of the SafeSign

Identity Client PKCS #11 and Microsoft CryptoAPI Libraries.

This may imply that some of the (versions of) applications listed below have not been tested explicitly with SafeSign

Identity Client Standard Version 3.0.93 for Windows, if interoperability with regard to PKCS #11 or Microsoft

CryptoAPI has been established with previous versions of these applications in combination with SafeSign Identity

Client (on the assumption that PKCS #11 / Microsoft CryptoAPI interoperability remained stable).

The list below is not exhaustive; if you have an application that works with SafeSign Identity Client that you wish to

have listed, please contact us.

9.1 Public Key Infrastructure

Public key Infrastructure

Application Entrust Authority: Security Manager Application version 6.0.1, 7.0 Supported by SafeSign IC versions 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application Entrust Authority: Self-Administration Server Application version 6.0 Supported by SafeSign IC versions 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application Computer Associates eTrust PKI (tested by partner) Application version 1.0 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application GlobalSign Application version N/A (Not Applicable) Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application Microsoft Standalone and Enterprise Certificate Server Application version Windows 2003 Server

29, Windows 2008 Server

30, Windows Server 2012

31

Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application RSA Keon PKI Application version 4.7, 5.7, 6.0, 6.5 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application SafeGuard PKI (tested by supplier: Utimaco) Application version 2.50 and up Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0

29

Windows 2003 Server key archival is not supported.

30 Windows 2008 Server is supported from SafeSign IC version 3.0.33 onwards.

31 Windows 2012 Server is supported from SafeSign IC version 3.0.80-x64 onwards.

9 Supported Applications

9 | Supported Applications 41

Application Safelayer KeyOne® product family

32 (tested by supplier: Safelayer)

Application version 2.1 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application SECUDE Trustmanager Enterprise (tested by supplier) Application version 5.9.2 Supported by SafeSign IC versions 2.1, 2.2, 2.3, 3.0 Application Verisign Key Manager Application version 3.0 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application Verisign Managed PKI Manager Application version 5.0 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application VeriSign Public / Private CA Application version N/A (Not Applicable) Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0

9.2 Client Applications

Client Applications

Application Adobe Reader X, XI Application version 10.0, 10.0.1, 10.1.0, 11.0.0.3 Supported by SafeSign IC versions 3.0.45 and above

Application

Checkpoint VPN (VPN-1 SecuRemote / SecureClient)

Application version NG FP3, R56, R60, R65 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application Cisco VPN client (tested by supplier: Cisco) Application version 3.6 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application Citrix MetaFrame XP Server Application version FR3/SP3 Supported by SafeSign IC versions 2.0, 2.1, 2.2, 2.3, 3.0 Application Citrix MetaFrame Presentation Server Application version 3.0, 4.0, 4.5 Supported by SafeSign IC versions 2.1, 2.2, 2.3, 3.0 Application Citrix XenApp Application version 5.0, 6.0, 6.5 Supported by SafeSign IC versions 3.0.45+ Application Digitronic Authentication (tested by partner) Application version 2.0.1 Supported by SafeSign IC versions 2.0, 2.1, 2.2, 2.3, 3.0 Application McAfee SafeBoot, Desktop Encryption Application version 4.2 Supported by SafeSign IC versions 2.0, 2.1, 2.2, 2.3, 3.0 Application E-Lock ProSigner Application version 6.1.2.0, 6.1.3 Supported by SafeSign IC versions 2.0 (≥ version 2.0.3

33), 2.1, 2.2, 2.3, 3.0

Application Entrust Entelligence: Desktop Manager, E-mail Plug-in, File Plug-in, Web Plug-in

34

Application version 6.1 SP1 Supported by SafeSign IC versions 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0

32

Only those components requiring PKCS#11 interface, which includes certificate management modules: KeyOne® CA, KeyOne

® LRA and KeyOne

® Register

components.

33 Supported by SafeSign Identity Client version 2.0.3, which takes into account certain expectations of the ProSigner application with regard to encryption

algorithms.

34 Formerly known as Entrust/Direct, this product is now a component of the Entrust Entelligence product portfolio.


Application Entrust Entelligence: Security Provider Application version 7.0 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application Entrust TruePass: TruePass Application version 6.0 Supported by SafeSign IC versions 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application eTrust SSO (tested by partner) Application version 6,5 SP2 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application Gemplus eSigner Integrator package Application version 2.0 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application Google Chrome Application version 18.0, 21.x, 35.0 Supported by SafeSign IC versions 3.0 Application IBM Lotus Notes (Tested by partner) Application version 6.01, 6.5 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application Microsoft CAPICOM Application version 2.0 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0.33 Application Microsoft Internet Explorer35 Application version 5.0, 5.5, 6.0, 7.0, 8.0, 9.0, 10.0, 11 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application Microsoft Outlook Application version 98, 2000, XP, 2003, 2007, 2010, 2013 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application Microsoft Outlook Express Application version 5.0, 5.5, 6.0 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application Microsoft Outlook Web Access Application version Exchange Server 5.0 and higher Supported by SafeSign IC versions 2.1 (≥ release 2.1.6), 2.2, 2.3, 3.0 Application Microsoft VPN

Application version Windows 2000, Windows XP, Windows Vista, Windows 7, Windows 8, Windows 2003, Windows 2008, Windows 2012

Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application Microsoft Windows Mail Application version 6.0 Supported by SafeSign IC versions 3.0 Application Microsoft Office Application version 2007, 2010, 2013 Supported by SafeSign IC versions 3.0.40+ Application Mozilla Firefox36 Application version 1.0.x, 1.5, 2.0, 3.0, 3.5, 3.6, 13.0.1, 18.0.2, 30.0 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application Mozilla Mail Application version 1.3.1, 1.4, 1.7.x Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3 Application Mozilla Navigator Application version 1.3.1, 1.4, 1.7.x Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application Mozilla Thunderbird Application version 1.0.x, 1.5, 2.0, 2.0.0.23, 3.1, 13.0.1, 17.0.2, 24.6.0 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0

35

Internet Explorer 9 is not supported in SafeSign Identity Client version 3.0.45, but it is in 3.0.70.

36 Mozilla Firefox 4 is not supported in SafeSign Identity Client version 3.0.45.


Application NCP VPN/PKI Client Application version 7.21, 8.0, 8.05, 8.22 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application Netscape Navigator Application version 4.72 - 4.79, 4.8, 7.137, 8.02 Supported by SafeSign IC Versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application Netscape Messenger Application version 4.72 - 4.79, 4.8, 7.1 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application Nortel Networks Contivity VPN client Application version 6.02 Supported by SafeSign IC versions 2.3, 3.0 Application Novell Groupwise 6.0 client Application version 6.0 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3 Application Novell NMAS Application version 2.0 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application OpenDomain Sphinx Logon Manager Application version Sphinx Standalone, Sphinx Enterprise, Sphinx Enterprise PKI Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application OpenOffice Writer Application version 2.4.1, 3.1.1, 3.2.1, 3.3.0, 3.4.0 Supported by SafeSign IC versions 3.0.45+ Application PGP Corporate Desktop Application version 7.1, 8.0, 8.02, 8.1, 9.0x Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application PKWare SecureZIP Application version v8 Supported by SafeSign IC versions 2.1 (≥ release 2.1.6), 2.2, 2.3, 3.0 Application Pointsec PC for Windows 6.3.1 Application version 6.3.1 Supported by SafeSign IC versions 2.3 (≥ release 2.3.6), 3.0 Application Protocom SecureLogin SSO (Tested by supplier: Protocom) Application version 3.5.1, 3.6 Supported by SafeSign IC versions 2.0, 2.1, 2.2, 2.3, 3.0

Application Protocom SecureLogin Advanced Authentication (tested by supplier: Protocom)

Application version 1.90 Supported by SafeSign IC versions 2.0, 2.1, 2.2, 2.3, 3.0 Application RSA SecurID Application version 2.51, 3.0 Supported by SafeSign IC versions 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application SafeGuard PrivateDisk Application version All versions Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application SafeGuard Sign & Crypt (tested by supplier: Utimaco) for Office Application version 3.00 and up Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application SafeGuard Sign & Crypt (tested by supplier: Utimaco) for Outlook Application version 3.00 and up Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application SafeGuard Sign & Crypt (tested by supplier: Utimaco) for Lotus Notes Application version 3.10 and up Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0

37

Netscape 7.02 has been tested, but has proved to be not very stable; therefore it is not (officially) supported.


Application SafeGuard Transaction Client (tested by supplier: Utimaco) Application version 3.0 and up Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application SafeNet SoftRemote (VPN client) (tested by partner) Application version 8.0.0 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application SECUDE signon (tested by supplier) Application version 5.9.2 Supported by SafeSign IC versions 2.1, 2.2, 2.3, 3.0 Application SECUDE signon & secure (tested by supplier) Application version 4.2.7 Supported by SafeSign IC versions 2.1, 2.2, 2.3, 3.0 Application SECUDE FinallySecure (tested by supplier) Application version 9.1 Supported by SafeSign IC versions 2.1, 2.2, 2.3, 3.0

Application SSH Tectia Client (formerly known as Secure Shell for Workstations) (tested by supplier)

Application version 3.2, 4.2 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2 , 2.3, 3.0 Application Microsoft Remote Desktop Connection (Client) Application version Windows XP, Windows Vista, Windows 7, Windows 8 Supported by SafeSign IC versions 3.0 Application Microsoft Remote Desktop Services Application version Windows Server 2003 Supported by SafeSign IC versions 1.0.9.04, 1.0.9.04-Update, 2.0, 2.1, 2.2, 2.3, 3.0 Application Microsoft Remote Desktop Services Application version Windows Server 2008 Supported by SafeSign IC versions 3.0 Application Microsoft Remote Desktop Services Application version Windows Server 2012 Supported by SafeSign IC versions 3.0.80+ Application Winmagic SecureDoc Application version 4.1 Supported by SafeSign IC versions 2.1, 2.2, 2.3, 3.0

Date post:	29-May-2018
Category:	Documents
Upload:	dangmien
View:	231 times
Download:	0 times

SafeSign Identity Client Standard - UZI-register · i This document contains information of a...

Documents